TCPWave is proud to introduce DNS Shield to its suite of products. In organizations designed with an internal private rooted DNS system, caches become vulnerable when they learn tainted data by following referrals into the third party’s DNS systems. A tainted cache that has learnt about the DNS roots from a third party tries to communicate with those third party’s root servers. In many scenarios, there would be no backbone routing/firewall rules from the tainted cache to the third party’s roots or to the public Internet roots. TCPWave’s DNS Shield is a mechanism with which organizations can manage DNS delegations to third parties and protect their internal namespace. TCPWave’s DNS Shield filters out DNS responses from the third parties that can potentially inject any type of a taint on the internal cache appliances of your organization. TCPWave’s DNS Shield uses a DNS response inspection engine to analyze the DNS responses from the third parties. It gives the legitimate answer to the cache device that has requested the query to the third party. It drops all the remaining information that can potentially poison/taint the cache.
TCPWave’s DNS Shield is available as a Dell OEM appliance and is typically placed between the organization’s cache servers and the third party DNS servers. Each organization’s internal DNS root is configured with a delegation to the TCPWave DNS Shield to perform third party’s DNS lookups. The TCPWave DNS Shield takes the request from the cache and would perform a recursive lookup on the third party’s DNS infrastructure. When the third party’s DNS server responds, the DNS Shield strips out unwanted data that can potentially taint the organization’s caching layer.
Consider organization A where the internal DNS is not exposed to the public Internet and vice versa, the cache appliances with hints pointing to its internal private roots instead of the public root servers. This means, internal users are not exposed to the public DNS and therefore, they cannot resolve external DNS names. This is a typical setup in organizations that have internal domain name space with absolutely no visibility into the public Internet.
In order for organization A to do business with organization B, the DNS administrator of organization A needs to add a DNS delegation. This delegation is added to the root zone of organization A’s DNS infrastructure.
When organization A’s cache device (shown in yellow) follows the referral, the authoritative servers of organization B give the answer and add an additional section and authoritative section containing information about organization B’s DNS layout. The setup shown above could experience an outage when the hints file of organization A get overwritten by the response received from organization B’s DNS responses. Note that the organization A’s cache did not ask about organization B’s roots. The BIND additional and authority section responses that were obtained from organization B can potentially overwrite organization A’s cache’s hints. Since there is no connectivity from the internal namespace of organization A to the public Internet, DNS in the internal corporate network of organization A comes to a grinding halt. The DNS administrator of organization A can remove the DNS delegation to organization B and simply add the required resource records to the DNS root zone. This workaround has its own drawbacks.
Organization A where the internal DNS is not exposed to the public Internet and delegates all the third party domains to the TCPWave’s DNS Shield appliances. The cache appliances with hints pointing to internal private roots follow the referral and query the TCPWave DNS Shield appliances. In turn, the TCPWave DNS Shield appliances query the third’s authoritative servers, filter out records that can potentially taint or poison organization A’s caches. The filtered response is seen by the originating client. This secure setup is a scalable solution when an enterprise needs to catch-up with the changes that take place in the third party’s DNS.
DNS Shield between organization A and all its B2B partner (organization B) is shown in the diagram above. The DNS Shied protects organization A from potential DNS cache poisoning by stripping out unwanted data from the DNS responses received from organization B.
With TCPWave DNS Shield your enterprise can benefit from avoiding DNS outages by protecting your internal DNS cache infrastructure with this added security. The key benefits that you derive from the TCPWave’s DNS Shield appliance are:
TCPWave Inc’s DNS Shield adds intelligence into the DNS Application layer by discarding unwanted DNS requests and responses that can potentially poison your mission critical DNS infrastructure.